When procuring products, Operational Technology (OT) owners and operators should select products from manufacturers who prioritize the following security elements:
Configuration Management: The product supports controlling and tracking modifications to configuration settings and engineering logic. Seek out manufacturers whose products backup and deploy system configurations in a secure and simple manner.
Logging in the Baseline Product: The product supports logging of all actions—including changes to configuration, security events, and safety events—in the baseline versions using open standard logging formats. Seek out products that come with standardized access and change logs for building incident response capabilities.
Open Standards: The product uses open standards to support secure functions and services and for migrating configuration settings and engineering logic. Seek out products that support open, interoperable standards to facilitate replacing or adding products.
Ownership: The product gives owners and operators full autonomy over said product, including maintenance and changes. Seek out products that enable operator autonomy while minimizing dependency on the vendor.
Protection of Data: The product protects the integrity and confidentiality of data, services, and functions, including a product’s configuration settings and engineering logic. Seek out products that treat operational data as valuable and protect it at rest and during transit to and from vendors and manufacturers.
Secure by Default: The product is delivered secure out of the box, reducing the attack surface and removing the burden on owners and operators. Seek out products that include all security features in all versions; eliminate default passwords; allow for appropriate length and complexity for passwords; use secure up-to-date versions of protocols with older insecure protocols (e.g., SNMPv1/2, Telnet, SSL, TLS 1.0/1.1) disabled by default; do not unnecessarily expose external interfaces; and provide authorized users the ability to reset product configuration to its original state.
Secure Communications: The product supports secure authenticated communication with digital certificates deployed that fail loudly (e.g., when a certificate expires) but allows critical processes to continue. Seek out products that simplify digital certificate deployment and renewal such that operators do not need to be cyber experts to achieve secure authenticated communications.
Secure Controls: The product is resilient to threat actors sending malicious emergency, safety, or diagnostic commands; protects the availability of essential functions; withstands active security scanning; and minimizes the impact of an incident on the overall system. Seek out manufacturers who can demonstrate trusted safety-critical controls and explain how operators can continuously verify and regain that trust.
Strong Authentication: The baseline version of the product, especially safety-critical equipment, protects against unauthorized access through appropriate control measures, including role-based access control and phishing-resistant multifactor authentication. Seek out manufacturers that have eliminated the use of shared role-based passwords in their products.
Threat Modeling: The product has a full and detailed threat model. Seek out products that have an up-to-date threat model that articulates the ways in which it might be compromised, along with security measures implemented to reduce these threat scenarios.
Vulnerability Management: The manufacturer has a comprehensive vulnerability management regime in which products are rigorously tested to help ensure they contain no known exploitable vulnerabilities. Each product has a clearly defined support period during which vulnerabilities are managed and patches are supplied free of charge. Seek out manufacturers who include hardware and software bill of materials with product delivery and who commit to timely remediation of vulnerabilities through a vulnerability disclosure program.
Upgrade and Patch Tooling: The product has a well-documented and easy to follow patch and upgrade process and supports moving to a supported operating system version at no extra cost if the original operation system is soon to be no longer supported.
Seek out products that can be verified and that support owner-controlled patch management. By rigorously enforcing purchasing decisions that require and prioritize the purchase of products that enforce these elements, critical infrastructure organizations can help mitigate current and emerging cyber threats to critical infrastructure and create a path away from legacy environments.
Additionally, OT owners and operators will send a message to manufacturers to stimulate the supply of Secure by Design products. Manufacturers that implement these considerations can establish a resilient and flexible cybersecurity foundation in their products that OT owners and operators can build on over the coming decades. Additionally, owners and operators may need to consider regulatory requirements, such as the European Union’s (EU’s) NIS2 Directive, during digital systems acquisition. The NIS2 directive requires critical infrastructures and certain other entities providing services in the Union to take measures to ensure that the products deployed on their networks are secure. In addition, several countries and regions have started laying down security-by-design in law, such as the EU’s Delegated Regulation on the Radio Equipment Directive, which will apply from 1 August 2025, and the Cyber Resilience Act, entered into force on December 10, 2024. Where applicable, owners and operators should ensure that the products they buy are compliant with applicable legal obligations and carry required marks of regulatory compliance.
